On 9 April 2021 3:34:20 am AEST, bo0od <[email protected]> wrote:
>This is nicely written by Qubes documentation:
>
>https://www.qubes-os.org/security/verifying-signatures/
From that page:
> If you’ve already verified the signatures on the ISO directly, then verifying
> digests is not necessary.
Which implies that the signatures are sufficient, right?
What is the benefit to providing the key (.asc) and hashes (.DIGESTS)? The page
you linked provides rationale for providing and checking digital signatures,
but we already provide them.
Carlo
